trademark
2c2kIhh
2c2kIhh
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
9.0<br />
Granular Audits<br />
It is a best practice to perform granular audits. This is primarily due to the possibility<br />
that users may miss true positive alerts from a real-time security monitoring system that<br />
may warn them of an attack. The following best practices should be followed in regard to<br />
establishing a system for granular audits.<br />
9.1 Create a cohesive audit view of an attack<br />
9.1.1 Why?<br />
To answer essential questions following an attack. As an attack may consist of different<br />
stages (e.g., a reconnaissance scan, followed by a vulnerability attack, etc.), it is important<br />
to get all the pieces of the puzzle collected and put into their respective places. In only<br />
this way can a cohesive view be established. It is important to build up a consistent and<br />
cohesive audit trail that answers basic questions, including: what happened? when did it<br />
happen? how did it happen? who was the perpetrator? and why did it happen?<br />
9.1.2 How?<br />
• Enable auditing capabilities in a big data infrastructure.<br />
• Select the relevant capabilities depending on features of infrastructure components, such<br />
as log information from routers, applications, operating systems (OS), databases, and so on.<br />
• Use a SIEM solution, as well as audit and forensics tools to process the collected audit<br />
information.<br />
9.2 Evaluate completeness of information<br />
9.2.1 Why?<br />
To provide a full audit trail. All relevant information that builds up the trail has to be<br />
available. As such, completeness of information is key.<br />
9.2.2 How?<br />
• Evaluate which audit information might be relevant upfront and which audit information<br />
is available in general. This data may come from log files, OS settings and profiles, and<br />
CLOUD SECURITY ALLIANCE Big Data Working Group Guidance<br />
© Copyright 2016, Cloud Security Alliance. All rights reserved.<br />
48